Full Report
Apple has released security updates for iOS, iPadOS, macOS, visionOS, and its Safari web browser to address two zero-day flaws that have come under active exploitation in the wild. The flaws are listed below - CVE-2024-44308 (CVSS score: 8.8) - A vulnerability in JavaScriptCore that could lead to arbitrary code execution when processing malicious web content CVE-2024-44309 (CVSS score: 6.1
Analysis Summary
As a vulnerability research specialist, here is the actionable summary of the reported security flaws in Apple products:
# Vulnerability: Apple Actively Exploited Zero-Day Vulnerabilities in JavaScriptCore and WebKit
## CVE Details
- **CVE ID:** CVE-2024-44308
- **CVSS Score:** 8.8 (High)
- **CWE:** Not explicitly provided, but related to arbitrary code execution from web content.
- **CVE ID:** CVE-2024-44309
- **CVSS Score:** 6.1 (Medium)
- **CWE:** Not explicitly provided, but related to XSS from web content processing.
## Affected Systems
- **Products:** iOS, iPadOS, macOS, visionOS, Safari
- **Versions:** Affected versions prior to the patches listed below.
- **Configurations:** Processing malicious web content (for both), specifically noted to have been exploited on Intel-based Mac systems for at least one of the flaws.
## Vulnerability Description
**CVE-2024-44308 (JavaScriptCore):** This vulnerability allows for **arbitrary code execution** when the affected device processes specially crafted web content. Apple fixed this by improving checks within the JavaScriptCore engine.
**CVE-2024-44309 (WebKit):** This is a cookie management vulnerability in WebKit that could lead to a **Cross-Site Scripting (XSS)** attack when processing malicious web content. Apple fixed this by improving state management.
## Exploitation
- **Status:** Actively exploited in the wild.
- **Complexity:** Low (Implied by the nature of browser/JavaScript engine flaws leveraged via web content).
- **Attack Vector:** Network (via malicious web content).
## Impact
| Vulnerability | Confidentiality | Integrity | Availability |
| :--- | :--- | :--- | :--- |
| CVE-2024-44308 | High (Arbitrary Code Execution) | High (Arbitrary Code Execution) | High (System Compromise) |
| CVE-2024-44309 | Medium (XSS) | High (XSS/Data Tampering) | Low |
## Remediation
### Patches
Apple released urgent updates to address these flaws:
* **iOS 18.1.1** and **iPadOS 18.1.1** (For iPhone XS and later, compatible iPads)
* **iOS 17.7.2** and **iPadOS 17.7.2** (For older compatible devices)
* **macOS Sequoia 15.1.1**
* **visionOS 2.1.1** (For Apple Vision Pro)
* **Safari 18.1.1** (For Macs running macOS Ventura and macOS Sonoma)
### Workarounds
No specific workarounds were detailed in the summary, strongly implying that **immediate patching is necessary** due to active exploitation.
## Detection
- **Indicators of Compromise:** Not detailed, but exploitation involving these components typically involves unusual system behavior following web browsing activity.
- **Detection Methods and Tools:** Analysis of system logs for suspicious activity related to JavaScript/WebKit process execution immediately following web interactions would be relevant. Google TAG involvement suggests sophisticated, targeted attacks may be in play.
## References
- Apple Security Updates (General reference to advisories):
- https[:]//support.apple.com/en-us/121752 (For 18.1.1/17.7.2)
- https[:]//support.apple.com/en-us/121753 (For macOS)
- https[:]//support.apple.com/en-us/121756 (For Safari)
- Article Source: https[:]//thehackernews.com/2024/11/apple-releases-urgent-updates-to-patch.html